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ABSTRACT 


Thousands of competing autonomous systems (ASes) must 
cooperate with each other to provide global Internet con- 
nectivity. These ASes encode various economic, business, 
and performance decisions in their routing policies. The cur- 
rent interdomain routing system enables ASes to express pol- 
icy using rankings that determine how each router in an AS 
orders the different routes to a destination, and filters that 
determine which routes are hidden from each neighboring 
AS. Since the Internet is composed of many independent, 
competing networks, the interdomain routing system should 
allow providers to set their rankings independently, and to 
have no constraints on allowed filters. This paper studies 
routing protocol stability under these constraints. We first 
demonstrate that certain rankings that are commonly used 
in practice may not ensure routing stability. We then prove 
that, with ranking independence and unrestricted filtering, 
guaranteeing that the routing system will converge to a sta- 
ble path assignment essentially requires ASes to rank routes 
based on AS-path lengths. Finally, we discuss the implica- 
tions of these results for the future of interdomain routing. 


1. Introduction 


The Internet’s routing infrastructure is made up of thou- 
sands of independently operated networks that cooperate to 
exchange global reachability information using an interdo- 
main routing protocol, the Border Gateway Protocol, Ver- 
sion 4 (BGP) [14]. This cooperation occurs in a landscape 
where these independent networks, or Autonomous Systems 
(ASes), compete to provide Internet service. BGP facilitates 
this “competitive cooperation” by enabling network opera- 
tors to express routing policies that are consistent with de- 
sired economic, business, and performance goals. 

Ranking and filtering are two orthogonal mechanisms that 
network operators use to implement their policies. Rank- 
ing determines the route to a destination that should be used, 
given several available routes. It allows an AS the freedom 
to specify preferences over multiple candidate paths to a des- 
tination (e.g., specifying a primary and a backup path). ASes 
should be able to operate autonomously, retaining ranking 
independence; i.e., the ability to specify rankings indepen- 
dently of the rankings of other ASes. Ranking independence 
enables ASes to specify rankings without coordinating with 
one another or revealing their rankings to other ASes. 

Filtering allows an operator to selectively advertise (or ex- 
port) routes to some ASes, and hide routes from other ASes. 
Filtering allows an AS to control which neighboring ASes 


Figure 1: Instability can arise when ASes independently specify rank- 
ings [10, 16]. Each circle represents an AS. AS 0 is the destination. The 
listing of paths beside each node denotes a ranking over paths. 


can send traffic over its infrastructure, because advertising 
routes to a neighboring AS is an implicit agreement to carry 
traffic for that AS. To empower flexible business contracts, 
an AS should always retain autonomy over its decision to 
advertise routes to its neighbors; i.e., the routing protocol 
should not mandate any filtering restrictions. 

The combination of ranking independence and unre- 
stricted filtering forms the cornerstone of interdomain rout- 
ing, and has, in large part, been the reason for the success of 
BGP over the past decade. However, the ability to specify 
highly expressive policies comes at considerable cost to sys- 
tem robustness: as has been observed by Varadhan et al.and 
Griffin et al., among others, if ASes are not subject to any 
constraints on the rankings that they can specify, BGP may 
oscillate forever [10, 16]. 


Example 1 Consider Figure 1 [10, 16]. ASes 1, 2, and 3 each 
prefer the indirect path through their neighboring AS in the 
clockwise direction over the direct path to the destination, 0. 
All other paths are filtered. This configuration has no stable 
path assignment (i.e., a path assignment from which no node 
would deviate). For example, consider the path assignment 
(10, 210, 30); in this case, AS 1 has a better path available 
to it, 130, so it switches paths. This switch causes the path 
(210) to break, causing AS 2 to switch to its second choice, 
path (20). The resulting path assignment, (130, 20, 30), is a 
permutation of the original path assignment: this time, AS 
3 has the path 320 available, so it switches. This oscillation 
continues forever. a 


In light of this discovery, a natural question to ask is: 
“What are the necessary and sufficient conditions that guar- 
antee global routing stability?” This question is rather broad, 
because these conditions depend on various modeling deci- 
sions: the details of the routing protocol, restrictions on fil- 
tering, and whether ASes retain policy independence. This 
paper studies how the rankings allowed by a routing pro- 
tocol must be restricted to guarantee global routing stabil- 
ity, assuming that ASes (1) retain ranking independence and 


(2) face no restrictions on filtering. This question is impor- 
tant for two reasons. First, both ranking independence and 
unrestricted filtering reflect realities of how ASes specify 
policies today. Second, answering this question will deepen 
our understanding of stability of policy-based routing proto- 
cols, complementing earlier results by Varadhan et al. [16], 
Griffin et al. [10], and Gao and Rexford [6] (Section 2). 

This paper makes three main contributions. First, in Sec- 
tion 4.1, we show that rankings based solely on the immedi- 
ate next-hop AS en route to the destination may never reach 
a stable path assignment from an arbitrary initial state; i.e., 
next-hop rankings, which are common in practice, are not 
safe. Moreover, under unrestricted filtering, a routing system 
with next-hop rankings may have no stable path assignment. 
In addition to their operational implications, these results are 
also somewhat surprising, because next-hop rankings with 
no route filtering always have one stable path assignment [4]. 
We also observe that although rankings based on a globally 
consistent weighting of paths are safe under filtering, even 
minor generalizations of the weighting function compromise 
safety (Section 4.2). 

Second, we define a dispute ring, a special case of the 
“dispute wheel” (a group of nodes whose rankings have a 
particular form) of Griffin et al. [10], and show that any 
routing system that has a dispute ring is not safe under filter- 
ing (Section 5). Using the dispute wheel concept, Griffin et 
al. showed a sufficient condition for safety, proving that if a 
routing system is unsafe then it must have a dispute wheel. 
In contrast, to our knowledge, our result is the first known 
necessary condition for safety under filtering. 

Third, we show that under ranking independence and un- 
restricted filtering, the set of allowable rankings that guaran- 
tee safety is effectively ranking based on (weighted) shortest 
paths. In Section 6, we prove that any routing system that 
permits paths of length n+2 to be ranked over paths of length 
mn can have a dispute ring, and is thus unsafe under filtering. 
We also prove that any routing system that permits paths of 
length n + 1 to be ranked over paths of length n can have 
a dispute wheel. In summary, our results indicate that sta- 
ble policy routing with provider independence (i.e., ranking 
independence and unrestricted filtering) requires tight con- 
straints on rankings. 

Our findings may be interpreted in several ways. The opti- 
mist will note that checking a set of rankings to ensure safety 
is trivial, because all it requires is that BGP routers mod- 
ify the decision process to consult a route’s “local prefer- 
ence” attribute only after considering its AS path length. The 
pessimist, however, will note that guaranteeing safe routing, 
preserving ranking independence, and allowing unrestricted 
filtering, requires constraints that may be too strong to per- 
mit sufficient ranking expressiveness, since it effectively pre- 
cludes an AS from ranking longer paths over shorter ones. In 
either case, our results suggest that stable interdomain rout- 
ing protocols face a fundamental tradeoff between the ex- 
pressiveness and independence of an AS’s policies. 


2. Background and Related Work 


A seminal paper by Varadhan et al. observed that policy- 
based interdomain routing protocols could oscillate and de- 
fined the concept of safety [16]. Varadhan ef al. also con- 
jectured that routing systems that allow rankings other than 
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Figure 2: Constraints on filtering and topology are not enforceable. 


those based on next-hop rankings or shortest path routing 
may be unsafe [16]. 

Griffin et al. asked how expressive an autonomous, robust 
routing system can be; this paper addresses this question [9]. 
Varadhan et al. showed that a routing system with an acyclic 
topology will have at least one stable path assignment if par- 
ticipants can only express next-hop preferences [16]. Feigen- 
baum et al. also observed this fact for general topologies [4]. 
In this paper, we show that when BGP’s protocol dynamics 
are taken into account, restricting each AS to only next-hop 
rankings does not guarantee that the routing system will be 
safe (even though the routing system always has at least one 
stable path assignment). 

Gao and Rexford derived sufficient constraints on rank- 
ings, filtering, and network topology to guarantee routing 
stability; they also observe that these constraints reflect to- 
day’s common practice [5, 6]. They showed that if every 
AS considers each of its neighbors as either a customer, a 
provider, or a peer, and obeys certain local constraints on 
rankings and filtering, and if the routing system satisfies cer- 
tain topology constraints, then BGP is stable. However, their 
model does not incorporate ranking independence, as their 
proposed topological constraints are global. Furthermore, 
their model restricts filtering; the example below illustrates 
why these restrictions may sometimes be too strict. 


Example 2 Figure 2 shows a situation that occurred in the 
Internet in 2001 [2]. When PSINet terminated its peering 
with AboveNet, AboveNet lost connectivity to PSINet’s cus- 
tomers, d,. To restore connectivity, AboveNet bought “‘tran- 
sit” service from Verio (already a peer of PSINet), but only 
for routes to PSINet and its customers. 

Verio does not filter d; (or any of PSINet’s prefixes) from 
AboveNet, which is only possible if Verio treats AboveNet 
as a customer. The constraints imposed by Gao and Rexford 
state that an AS must prefer customer routes over peering 
routes.'! This constraint requires Verio to rank AboveNet’s 
route to dz over any other available routes to dz in order to 
guarantee stability, which restricts Verio’s flexibility in how 
it can select routes. Establishing a new business relationship 
(and, hence, altering its filtering policies) requires Verio to 
change its rankings as well. | 


Various previous work has studied global conditions to 
guarantee the safety of routing systems; global conditions 
presume that the routing system does not preserve local 
choice of rankings (i.e., ranking independence). Griffin et 
al. showed that, if the rankings of the ASes in a routing sys- 
tems do not form a dispute wheel (a concept that describes 


1Gao and Rexford present a weaker constraint that allows an AS to rank 
routes learned from customers and peers over those from providers, but does 
not require customer routes to be strictly preferred over routes from peers. 
This relaxed condition requires that there are no instances where an AS’s 
customer is also a peer of another one of the AS’s peers. Of course, Exam- 
ple 2 could also violate this constraint on the topology: PSINet is Verio’s 
customer for d1, but it would be reasonable for PSINet to peer with another 
of Verio’s peers, since all are “tier-1” ISPs. 


global relationship between the rankings of a set of ASes), 
then the routing system is safe [10]. Griffin et al. also 
showed how to modify a BGP-like path vector protocol to 
detect the existence of a dispute wheel but left unspecified 
how the ASes should resolve the dispute wheel [11]. Machi- 
raju and Katz defined a new global invariant for determining 
safety when at most one AS deviates from the conditions of 
Gao and Rexford [13]. Govindan et al. proposed a routing 
architecture where ASes coordinate their policies [7, 8] us- 
ing a standardized policy specification language [1]. Jaggard 
and Ramachandran presented global conditions that guar- 
antee safety of routing systems that allow ASes to express 
only next-hop preferences over routes, and designed central- 
ized and distributed algorithms to check these global con- 
ditions [12]. Sobrinho defined new concepts that describe 
global relationships between preferences and incorporated 
several previous results (including those of both Griffin et 
al. [10] and Gao and Rexford [6]) into a single algebraic 
framework [15]. In contrast to these studies of global condi- 
tions for safety, this paper studies the conditions under which 
a policy-based interdomain routing protocol can be stable if 
it preserves ranking independence. 


3. Routing Model and Definitions 


We now define our routing model. After introducing some 
basic terminology, we formally define two notions of good 
behavior for routing protocols: stability and safety. Finally, 
we extend each of these two definitions to deal with the case 
where ASes may arbitrarily filter paths from each other. 


3.1 Preliminaries 

We consider a model consisting of N ASes (nodes) 2, la- 
beled 1,...,N. Each of these nodes wishes to establish a 
path to a single destination, labeled node 0. We precisely 
define a path next. 


Definition 1 (Path) A path from to j is a sequence of nodes 
P = iizig...tmj with no repeats,; i.e., such that iy, # ty if 
uF v, andi, #1, 9 forall u. 


We denote the number of hops in a path P as length(P); 
note that a path with n nodes has n — 1 hops. In addition, 
given an AS k, we will write & € P if node & appears in P. 
For clarity, given a path P from i to 7, we will often denote 
P by iP; furthermore, if P is a path from 7 to 7, and Q is a 
path from 7 to &, then we will denote the concatenation of P 
and @ by iP7Qk. 

We denote the set of all paths from 2 to 0 (i.e., all paths on 
the complete graph) using the nodes 1,..., N by PX. Given 
the set of nodes {1,..., N}, each AS é will choose a ranking 
~;, over the set of all paths pe , defined as follows. 


Definition 2 (Ranking) Given N, a ranking <; for node t is 
a total ordering over the set of all paths PN ; thus, given any 
two paths P,Q € PN, either P <; Q (i prefers Q to P) or 
P >; Q (iprefers P to Q). 


An AS may always choose the empty path, €, which is 
equivalent to total disconnection from the destination node 
0. Thus, we have € € PS for all 2 and N. Furthermore, we 


2In this paper, we use the terms “AS” and “node” interchangeably. 


assume that every AS strictly prefers connectivity to discon- 
nectivity, so that P >; ¢ forall P € Pe : 

Note that all paths may not be available to node 7, due 
to both topological constraints and filtering by other nodes. 
Throughout the paper, we will use #; C PX to denote the 
set of paths actually available for use by node 7. The empty 
path is always available; i.e.,¢ € F;. 

A routing system is specified by the rankings of the indi- 
vidual nodes, together with the paths available to the individ- 
ual nodes. Observe that we have decoupled the “routing pol- 
icy” of each AS 72 into two components: the rankings <; of 
AS 7 over route advertisements received (i.e., a “ranking’’); 
and a determination of which paths are filtered from other 
ASes (i.e., “filtering”). The filtering decisions of all nodes, 
together with physical constraints on the network, yield the 
sets Fi,...,F~. We thus have the following formal defini- 
tion of a routing system. 


Definition 3 (Routing system) A routing system is a tuple 

N, ~1,---;~n,Fi,---, Fn), where node i has ranking <; 
over the set PN, and F; is the set of paths available to node 
i. 


A routing system specifies the input to any interdomain 
routing protocol we might consider. Given this input, the 
protocol should converge to a “routing tree”: that is, an as- 
signment of a path to each AS, such that the routes taken to- 
gether form a spanning tree rooted at 0. To formalize this no- 
tion, we must define path assignments and consistent paths. 


Definition 4 (Path assignment) A path assignment for the 
routing system (N,~<1,...,<n,Fi,...,F nN) is a vector of 
paths P = (P,,..., Pn) such that, for alli, P; © F;. 


Thus, a path assignment is an assignment of a feasible path 
to each AS 72, where feasibility is determined by the set of 
paths F;. Even though each node has a path assigned, these 
paths may not be consistent: node 1 may be assigned a path 
P; = 1j.P;0, where 7 is the first node traversed on P;, and 
where P; is a path from 7 to 0. However, the path P; may 
not be the same as the path P; assigned to 7 in the path as- 


signment P; in fact, P; may not even be in the set of feasible 
paths ¥;. For example, a node or link along the path P; may 
experience a failure, causing the routing protocol to with- 
draw the path; if 7 has heard such a withdrawal but 2 has not, 
then it is possible that P; = 717P;0 until node 7 learns that 
P; no longer exists. To formally capture such situations, we 
now define consistent paths and consistent path assignments. 


Definition 5 (Consistent path) Given a path assignment P, 


a path P, for node 1 is consistent with P if one of the follow- 
ing holds: 

1. P, =€;or 

2. P, = 10; or 

3. Bj = ijP;0, for some j # 1. 


It is clear that a routing protocol where packets are routed 
solely on destination should ultimately assign paths that are 
consistent with each other. We now formally define a consis- 
tent path assignment. 


Definition 6 (Consistent path assignment) A con- 
sistent path assignment for the routing system 


(N,~1,---,<~nw,Fi,---,Fn) is a path assignment 
vector P = (P,,..., Py) such that for all i, P; is consistent 
with P. 


3.2 Stability and Safety 


Informally, a path assignment is stable if it is consistent, 
and no node has a more preferred consistent path available. 


Definition 7 (Stable path assignment) Given a_ routing 
system (N,~1,...,<n,Fi,...,Fn), and a consistent 
path assignment P, we say that P is stable if for all nodes 


i, and all paths P, that are consistent with P, P; <,; P;. 


Definition 8 (Stable routing system) The routing system 
(N, ~1,-.-,<n,Fi,...,Fn) is stable if there exists at 
least one stable path assignment P. 


The stability of a routing system does not indicate whether 
a routing protocol will converge regardless of the initial path 
assignment. For this purpose, we introduce safety, which 
states that a protocol eventually converges, regardless of the 
initial path assignment and ordering of the routing messages. 

In defining safety, we will consider a simplified abstrac- 
tion of BGP. We model the process by which nodes receive 
route advertisements from other nodes and subsequently up- 
date their own route decisions. In this paper, we will consider 
a protocol dynamic where at each time step only a single AS 
is activated; when activated, an AS immediately processes 
all pending incoming route advertisements, and then makes 
a route decision. Formally, this will translate into a path as- 
signment sequence where exactly one node (the “activated” 
node) changes its route at any given time step. 

A routing system is safe if no oscillation occurs regardless 
of the order in which nodes are activated. We start, therefore, 
by defining a fair activation sequence. 


Definition 9 (Fair activation sequence) The sequence 
41,12,... is a fair activation sequence if each node 
4=1,...,N appears infinitely often in the sequence. 


This definition of fair activation sequence is similar to that 
presented by Gao and Rexford [6], except that in our defini- 
tion we only activate one node at a time. This distinction is 
not major: we can interpret the Gao and Rexford dynamics 
as a model where outstanding routing messages may be in 
flight when a particular node is activated. 

We now define our simplified model of the routing proto- 
col dynamics: that is, starting from an initial path assignment 
Po, and given a fair activation sequence of nodes 71, 72,..., 
what is the resulting observed sequence of path assignments 
P,,P2,...? To formalize the dynamics of our model, we 
consider an abstraction of the BGP decision process de- 
scribed in Figure 3. At each time t, a node 2, is activated, 
and chooses its most preferred available path consistent with 
the path assignment P,_;. All other nodes’ paths remain 
unchanged. It is clear that this decision process yields a se- 
quence of path assignments P, P2,.... 

After any given activation step t, the overall path assign- 
ment P, may not be consistent. Inconsistencies reflect the 
fact that a node only updates its path assignment in response 


Routing protocol dynamics 

At time ¢t — 1, the current path assignment is P;_1; i.e., each 
node 7 has currently selected path P; 4-1 to the destination 0. 
At time ft: 


1. A given node 7; is activated. 


2. Node 2; updates its path to be the most preferred path 
(according to <;,) consistent with P,_. That is, 


(a) Pi, + € Fi, is consistent with P;_,, and 
(b) Pitt >i, P,, Vv P,, € F;, consistent with Py_1. 


3. All other nodes leave their paths unchanged. 


Figure 3: The routing protocol dynamics, given an activation sequence 
i1,12,.... The process starts from an initial path assignment Po. 


to the receipt of a route advertisement. If, at time to, a node 
7 is using a path that traverses some other node 7 that has 
since changed paths, then node 7 would obliviously continue 
to use (and advertise) that inconsistent path until it receives 
a routing update that reflects that the path through 7 has dis- 
appeared or changed. When activated, say, at time t > to, 
node 2 would discover that the path it was using was inconsis- 
tent with P, and would then instead select its highest-ranked 
path that was consistent with P,. The activation of a node at 
some time ¢ corresponds to that node receiving all available 
routing information in the system up to that time. 

With the definition of our protocol dynamics in hand, we 
can define protocol safety. Given a routing system and an 
activation sequence, we say that the system has converged if, 
after some finite time, the path assignment remains invariant 
for all future time. A protocol is safe if it converges to a sta- 
ble path assignment, regardless of the initial path assignment 
and fair activation sequence. 


Definition 10 (Safety) A routing system (N,~1,...,<n 
,F1,...,F mn) is safe if for any initial path assignment Po 
and fair activation sequence 11,12, ..., there exists a finite t; 
such that P, = P; forall s,t > t,. 


We observe that since the activation sequences are fair in 
the preceding definition, if a routing system converges to P ;, 
then the resulting path assignment to which the system con- 
verges must be both consistent and stable. If not, at least one 
node would change its path assignment eventually. 


3.3 Filtering 


In this paper, we are interested in the stability and safety 
of systems that result when nodes are allowed to filter routes 
from other nodes. We thus require conditions stronger than 
stability and safety, known as stability under filtering and 
safety under filtering. Informally, a routing system is stable 
(respectively, safe) under filtering if, under any choices of 
export filters made by the ASes, the resulting routing sys- 
tem is always stable (respectively, safe). We formalize these 
notions as follows. 


Definition 11 (Stable under filtering) The routing system 
(N, ~1,.--,~n,Fi,---,;F wn) is stable under filtering if for 


all choices of available paths Fi CF; fori=1,...,N, the 
routing system (N,~<1,...,~n,Fi,---,Fwn) is stable. 


Definition 12 (Safe under filtering) The routing system 
(N, ~1,.--,<n,Fi,..-, Fn) is safe under filtering if for 
all choices of available paths F; © F; fori =1,...,.N, the 


routing system (N,<1,...,<n,Fi,---,Fwn) is safe. 


We interpret these definitions as follows. The set of avail- 
able paths F; gives the set of paths that are physically possi- 
ble for AS 7 to use, given the current network topology. Once 
all ASes have chosen their route filters (which may be arbi- 


trarily defined), the set Fi gives the set of paths that can ever 
be used by node z in route advertisements. Since we allow ar- 
bitrary choice of filters, the resulting routing system should 


be stable and safe regardless of the choices of F1,...,7N 
that are made. 


4. Ranking Classes and Safety 


In this section, we study two natural ranking classes un- 
der which ASes retain policy independence in setting rank- 
ings over paths. First, in Section 4.1, we study the rank- 
ings where each AS is allowed to rank paths solely based on 
the immediate next-hop AS, called “next-hop rankings”. We 
show that (1) there are routing systems where each node has 
only a next-hop ranking that are unsafe; and (2) even though 
all routing systems where nodes have next-hop rankings are 
stable, there exist some routing systems of this form that are 
not stable under filtering. 

In Section 4.2, we study the properties of routing systems 
where each node is allowed to choose a weight for all its out- 
going links, and rankings are derived from a “total” weight 
associated to each path. The total weight of a path is de- 
fined as the weight of the first link on that path, plus a dis- 
counted sum of the weights of all remaining links on that 
path. We show that if the discount factor is anything other 
than 1 (which corresponds to shortest path routing), then 
there exist weight configurations that yield an unsafe rout- 
ing system. 


4.1 Next-Hop Rankings 


One natural set of rankings for a routing system is one 
where each AS can express rankings over paths solely based 
on the next-hop AS in the path. Such a class of rankings 
makes sense because an AS establishes bilateral contracts 
with its immediate neighbors and, as such, will most often 
wish to configure its rankings based on the immediate next- 
hop AS en route to the destination. For example, an AS will 
typically prefer sending traffic via routes through its neigh- 
boring customer ASes over other ASes, since those customer 
ASes are paying based on traffic volume. We formally define 
next-hop rankings as follows: 


Definition 13 (Next-hop ranking) Given N, <; is a next- 
hop ranking if, for all nodes j, k with 1, j, k distinct, we have: 


ij Pj0 <i ikP,0 = ij P/O =; ik PLO, (1) 
for all P;,P; € PN, and P,, Pi, € Pjy. (Here we interpret 


Po’ = {e}-) 
Thus, <; ranks paths based only on the first hop of each 
path. 


Activate 1 2 3 


(10) (20) G20) 
(10) (210) (320) 
(1320) (210) (320) 


(9) (1320) (210) (3210) 
f (1320) (2 0) (3210) 
= (1 0) (2 0) (3 210) 


DS NIG ah | 


(10) (20) (320) 


(a) Routing system (b) Activation sequence 


Figure 4: Next-hop rankings are not safe in this routing system. AS 1 
prefers all paths through AS 3 over the direct path to the destination 0 
(with ties broken deterministically) and prefers the direct path over all 
paths through AS 2. Similarly, AS 3 prefers all paths via AS 2, and so 
forth. 


Such a restriction on policy would still be sufficiently rich 
to achieve most traffic engineering goals, since most policies 
are based on the immediate next-hop AS [3]. Additionally, 
this set of rankings might appear to be expressive enough for 
most policy goals, since most routing policies are dictated 
according to the AS’s business relationship with its immedi- 
ate neighbor. 

Previous work has shown that a routing system where 
each node has a next-hop ranking always has at least one 
stable path assignment [4]. In this section, we first show 
that there exists a routing system where each node has a 
next-hop ranking and the system is unsafe, even with no 


filtering. Then, we show that there may exist F,...F yn, 


where F; C F; for all 2, such that even though the sys- 
tem (N, <1 ... <n, F1...Fy) is stable, the filtered system 


(N, <1... ~n, FS Fy) is unstable. That is, there exist 
routing systems with next-hop rankings for which a stable 
path assignment exists, but introducing filtering can yield a 
system where no stable path assignment exists. 


Observation 1 A routing system where each node has only 
a next-hop ranking may be unsafe. 


Example 3 A routing system where each node has a next- 
hop ranking may not be safe. Consider Figure 4. In this 
example, each AS ranks every one of its neighboring ASes. 
For example, AS 1 prefers all paths that traverse AS 3 as the 
immediate next hop over all paths that traverse AS 0 as the 
immediate next hop, regardless of the number of ASes each 
path traverses; similarly, AS 1 prefers paths that traverse AS 
O as the immediate next hop over paths that traverse AS 2. 
Each AS readvertises its best path to the destination to all of 
its neighbors (i.e., the system has no filtering). Now consider 
the activation sequence in Figure 4(b); if infinitely repeated, 
this activation sequence would be fair, and the routing system 
would oscillate forever. Thus, the routing system is not safe. 

Note that this system is not safe, but it is stable: for ex- 
ample, the path assignment (10, 210, 3210) is stable. Nodes 
2 and 3 are using paths through their most preferred nodes. 
Node 1’s most preferred node, node 3, is using a path that 
already goes through node 1, so node | is also using its most 
preferred consistent path. As every node is using its most 
preferred consistent path, no node will change paths when 
activated, so the path assignment is stable. 


A routing system where each node has a next-hop ranking 
may not be safe, but Feigenbaum et al. showed that there is 
always guaranteed to be at least one stable path assignment 
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Figure 5: This routing system is stable without filtering but unstable 
under filtering. The figure shows an unsafe routing system with next- 
hop rankings and filtering that is equivalent to the unstable routing 
system with the rankings over paths shown in Figure 1. 
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Figure 6: Routing system with edge weight-based rankings. 


for such routing systems [4]. However, allowing nodes to 
filter paths from each other can create routing systems for 
which there is no stable path assignment. 


Observation 2 There exist routing systems with next-hop 
rankings for which a stable path assignment exists, but in- 
troducing filtering can yield a system where no stable path 
assignment exists. 


Example 4 Consider Figure 5. As before, each AS ranks 
every one of its neighboring ASes. Additionally, each AS 
may also declare arbitrary filtering policies. In this example, 
each AS (other than the destination) does not readvertise any 
indirect path to the destination. For example, AS 1 does not 
advertise the path 130 to AS 2, and thus the path 2130 is 
not available to AS 2. Formally, we define F; = {130,10}, 
Fo = {210,20}, and F3 = {320, 30}. 

It is possible to show that the resulting routing system is 
actually equivalent to the system in Figure 1, once the fil- 
tered paths are removed from each node’s ranking. Thus, 
the filtered routing system is unstable by the same reason- 
ing as in Example 1: for any path assignment in this routing 
system, at least one AS will have a higher ranked consis- 
tent path (and, hence, has an incentive to deviate from the 
path assignment). For example, consider the path assign- 
ment P; = (130, 20,30). AS 3 prefers to switch paths to 
320, since 2 is its preferred next hop AS. a 


Using a construction similar to that in Example 2, it is 
possible to show how this example could arise in practice. 
The example demonstrates the complex interaction between 
filtering and rankings—a class of rankings that guarantees 
stability without filtering can yield unstable routing systems 
under certain filtering conditions. 


4.2 Edge Weight-Based Rankings 


There exists at least one routing model that preserves rank- 
ing independence and yet ensures stability: if each provider 
is allowed to choose edge weights for its outgoing links, and 
each provider ranks paths based on the sum of edge weights, 
the resulting “shortest paths” routing system is guaranteed 


to be safe [10]. Since this result holds for any F1,..., Fax, 
any routing system built in this way is guaranteed to be safe 
under filtering. In this section, we will formulate a general- 
ized model of such edge weight-based rankings, with both 
next-hop rankings and shortest path routing as special cases. 
Such rankings do not allow providers to directly specify their 
ranking; rather, the rankings of each provider are derived 
from the strategic choices made by all providers, namely, 
the choices of outgoing link weights that each provider sets. 
This notion of “derived” rankings is a potentially useful 
method for ensuring policy independence in interdomain 
routing protocols. 


Definition 14 (Edge weight-based rankings) 

(N, ~1,.--,~n,Fi,.--,;Fn) is a routing system with 
edge weight-based rankings if there exists an assignment 
of edge weights wj;; to each ordered pair of ASes 1, j, 
together with a parameter a € [0,1], such that for each 


AS i and paths P;,P, € PN with P, = iiy...inO0 and 
P; = 191 ...Jm0, there holds: 


n-1 
P, <; P; ifand only if wu, +a e Wiping + v0) 
k=1 


m-1 
> Wij, + @ Wyejega vn) : 


l=1 


The interpretation of this definition is as follows. Each 
node chooses edge weights for all possible outgoing links; 
ie., node 2 chooses a weight w;; for each node j. Next, 
node i determines its rankings by ordering all paths P; = 
701 ...%,0 in nCreasine order according to their weight 
Wii, + Oy s: Wiring, + Wi,0), Where a is a global pa- 
rameter used to weight the tail of the path. The parameter 
a allows us to compare two extreme points: a = 1, corre- 
sponds to shortest path routing based on the matrix of edge 
weights w, while a = 0 corresponds to next-hop rankings. 
A natural question to ask is whether a routing system us- 
ing edge weight-based rankings can be safe for intermediate 
values of a. It turns out that the only edge weight-based 
ranking class that can guarantee safety (and safety under fil- 
tering), regardless of the weights chosen by each provider, is 
the scheme defined by a = 1; i.e., shortest path routing. 


Observation 3 A routing system with edge weight-based 
rankings may be unstable for any a where0 <a <1. 


Example 5 Consider the routing system shown in Figure 6. 
If the system is such that each node prefers the two-hop 
path to the destination, followed by the one-hop (i.e., di- 
rect) path, followed by the three-hop path, then the system 
will be unstable because its behavior will match Example 1. 
The routing system will be unstable if the following condi- 
tions are satisfied, for all? = 1,2,3: wist1 + awisio < 
Wio < Witt + A(Wis1,i42 + Wi+2,0) (for addition modulo 
3). If a = 1, these inequalities cannot be simultaneously 
satisfied for any nonnegative choice of the edge weight vec- 
tor w; this is to be expected, since a = 1 corresponds to 
shortest path routing. On the other hand, if 0 < a < 1, 
then many vectors w exist satisfying the inequalities above. 
For example, we can choose wo wa0 W30 1, 
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Figure 7: Relationships between safety and dispute rings and wheels. 
Previous work showed that a routing system with no dispute wheel is 
safe [10]. Section 5 presents all other relationships shown in this figure. 


and let wy2 W23 W31 x, for any x such that 
(1—a)/(1+a) <a < 1-—<a. For this definition of w, all 
three inequalities above will be satisfied, and thus the rank- 
ings of each node will lead to the same oscillation described 
in Example 1. | 


5. Dispute Wheels and Dispute Rings 


Our goal is to study the classes of rankings for which 
the routing system is guaranteed to be safe under filtering. 
Safety is a dynamic concept, and Griffin et al. have shown 
that checking whether a particular routing system is safe is 
NP-hard [10]. To simplify our study of safety, we introduce 
a useful concept developed by Griffin et al. [10], known as a 
dispute wheel. Informally, a dispute wheel gives a listing of 
nodes, and two path choices per node, such that one path is 
always preferred to the other. If a routing system oscillates, 
then it is possible to construct a dispute wheel whereby each 
node in the wheel selects its more preferred path (via the 
node in the clockwise direction) over its less preferred path. 
Griffin et al. showed that if a routing system with no filtering 
does not have a dispute wheel, then it is safe. 

The dispute wheel is a useful concept because it allows 
us to analyze dynamic properties such as safety by simply 
looking at the rankings of each node in the routing system. 
In this section, we formally define a dispute wheel and show 
the relationship of Griffin’s routing model, which simulates 
messages being passed between nodes, to the model we use 
in this paper, which uses fair activation sequences. This re- 
lationship allows us to leverage Griffin’s previous results to 
study safety in terms of the routing model in this paper. We 
then extend the framework of Griffin et al. by defining a 
special type of dispute wheel called a dispute ring and show 
that, if any routing system has a dispute ring, then it is unsafe 
under filtering. Finally, we relate dispute wheels to dispute 
rings and show that, although the presence of a dispute ring 
guarantees that a routing system is unsafe under filtering, it 
does not necessarily imply that a routing system is unsafe 
without filtering. Figure 7 summarizes the results of this sec- 
tion and how they relate to results from previous work [10]. 


5.1 Dispute Wheels and Safety 
We start by formally defining dispute wheels. 


Definition 15 (Dispute wheel) Given a_ routing system 
(N, ~1,..-,;<nw,Fi,...,F qn), a dispute wheel is a collec- 
tion of distinct nodes 11, ...,%m, called pivots, together with 
two sets of paths P,,..., Pm and Q,...,Qm, such that the 
following conditions hold (where we define im+1 = 11 for 
notational convenience): 


1. Py € F;, forallk =1,...,m; 


Figure 8: Illustration of a dispute wheel. Dotted lines show preferred 


(indirect) paths to the destination. The nodes 71... , 2m are pivots. 
2. Qx is a path from ix, to in41 for allk =1,...,m; 
3. The path Py = ipQnins1Pr+10 is feasible, ie, Py € 
Fi, and 
4. Py, ip Pi 


Thus, each node 2, prefers the path 1,Q42441-Px+10 to the 
path 2;.P,0. Figure 8 shows a graphical representation of a 
dispute wheel. 

As previously shown by Griffin et al. [10], the most im- 
portant feature of dispute wheels for our purposes is that if 
a routing system has no dispute wheels, then it is safe. To 
use this result for analyzing routing systems as we defined 
in Definition 3 (Section 3), we must show that safety in the 
Simple Path Vector Protocol (SPVP) defined by Griffin et 
al. [10] implies safety in our model. 


Proposition 1 Given a routing system, a fair activation se- 
quence, and an initial path assignment Po, let P,,P2,... 
be the resulting sequence of path assignments according to 
the dynamics described in Figure 3. Then there exists a 
sequence of messages in the Simple Path Vector Protocol 
(SPVP) such that the same sequence of path assignments is 
observed. 

Thus, in particular, if a routing system is safe under SPVP, 
then it is safe according to Definition 10. 


Proof Sketch. The key difference between SPVP and the dy- 
namics we have defined is that SPVP is asynchronous (i.e., at 
any time step, messages may be in flight), so different nodes 
may have different assumptions about the global path assign- 
ment at any time. However, SPVP is nondeterministic with 
respect to the timing of messages; the delay between a rout- 
ing update at node 7 and the receipt of the new route adver- 
tisement from node 7 at node 2 can be arbitrary. We use this 
fact to construct, inductively, a sequence of messages such 
that at time t, the current set of paths available to node 2; in 
SPVP corresponds exactly to P;_,. Furthermore, we time 
the delivery of routing updates to node 7; in SPVP so that 
any updates that occurred since the last time 7; was activated 
arrive exactly at the start of time step t. In SPVP, this will ini- 
tiate a routing update at node 7;, which corresponds exactly 
to the activation of 7; in our model (see Figure 3). 

Thus, the sequence of path assignments seen in this real- 
ization of SPVP matches the sequence of path assignments 
seen in our dynamics. We conclude that if SPVP is guaran- 
teed to be safe for the given routing system (i.e., if eventu- 
ally no further routing updates occur, regardless of the initial 
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Figure 9: A routing system that is safe for any choice of filters. 


path assignment), then the routing system is safe according 
to Definition 10 as well. Mf 


Corollary1 If a_ routing system (N,~1,...,~n, 
Fi,...; Fn) has no dispute wheel, then it is safe. 

Corollary2 Jf a _ routing system (N,~%1,...,~<nN, 
Fi,...;Fn) has no dispute wheel, then it is safe un- 


der filtering. 


Proof. Choose subsets F; C F;. Then, any dispute wheel 
for the routing system S = (N,~<1,---, ny F iy. ,Fy) 
is also a dispute wheel for the original routing system S = 
(N, ~1,.--,<~nw,Fi,.--, Fw). | 


We conclude that if no dispute wheel exists, then not only 
does this guarantee any resulting routing system is safe, but 
it will also ensure safety under filtering. Unfortunately, this 
condition is not a necessary condition for safety, and thus 
not much can be said about a system that does have a dispute 
wheel. Furthermore, there exist routing systems that have a 
dispute wheel but which are safe under filtering. 


Observation 4 The existence of a dispute wheel does not im- 
ply that the routing system is unsafe, nor that the routing sys- 
tem is not safe under filtering. 


Example 6 See Figure 9. The first two most preferred paths 
in each node’s ranking form a dispute wheel, but the sys- 
tem is safe: the system converges to P = (10, 20,30). Fur- 
thermore, no combination of filters can create an oscillation. 
The two-hop paths are not part of the stable path assign- 
ment, so filtering those paths has no effect on the protocol 
dynamics. Filtering a three-hop path would simply result in 
a node selecting the direct path to the destination, and the 
node would never deviate from that path; thus, an oscilla- 
tion would not occur. If one direct path is filtered, then the 
other two nodes will take direct paths to the destination and 
the node whose direct path is filtered will take its most pre- 
ferred three-hop path. If two direct paths are filtered, then 
P is simply a chain to the destination: the node that has the 
direct path takes it, and the other two nodes will take two and 
three-hop paths. a 


5.2 Dispute Rings and Safety 


In this section, we extend the dispute wheel notion to 
understand the relationship between ranking expressiveness 
and safety under filtering. We define a relationship between 
rankings called a dispute ring, a special case of a dispute 
wheel where each node appears at most once. 


Definition 16 (Dispute ring) A dispute ring is a dis- 
pute wheel—a collection of nodes 11,...,%m and paths 
Pi,..-, Pm, Q1,---; Qm Satisfying Definition 15—such that 
m = 3, and no node in the routing system appears more than 
once in the wheel. 


The dispute ring is a useful concept because it allows us to 
prove a necessary condition for safety under filtering. 


Proposition 2 /f a routing system has a dispute ring, then it 
is not safe under filtering. 


Proof. Assume that a routing system has a dispute ring, 
defined by 71,...,%m, and paths Q1,...,Qm, Pi,...,; Pm. 
Then, construct filters such that F; contains only the paths 
in that dispute ring. Specifically, F; contains the following 
paths from Pe (where we define 2,,41 = 71). (1) If 7 is not 
in the dispute ring, then F; = 0). (2) If 7 is a pivot node on the 
dispute ring, say 7 = i, then F; contains exactly two paths: 
Py, and 74.Qxin+1Pp410. (3) If i is not a pivot node, but 
i € Qx for some k, then we can write Qy = inQ;iQzixn4. 
In this case F; consists of the single path iQeings Pr410. (4) 
If ¢ is not a pivot node, but 7 € P; for some k, then we can 
write P, = i,PiPZ0. In this case, F; consists of the sin- 
gle path 1P?0. Since each node appears at most once on the 
dispute ring, the preceding definition uniquely defines F ; for 
all nodes 2. 

There exists at least one consistent path assignment P, 
such that some pivot node 7,_, is using its most preferred 
path, 7,-1Qx-12xP,0, every other pivot node 7; is using 
path 7;P;0, and every other non-pivot node 7 uses its only 
available path consistent with this assignment. Then, the fol- 
lowing activation sequence will result in an oscillation: 


1. Activate node iz. Node i, then switches to its more 
preferred path, 2,.Qxin+1Pp410. 

2. Activate nodes along Q,—1 in reverse order, from the 
node immediately preceding 1,, to t1,—-1. All nodes 
along Q,—1 switch to the empty path, e. 

3. Activate node ip-1. The path ip_1Qz_—11~P,0 is 
now inconsistent, so 7,1 must switch to the path 


tp—1Pp-10. 
4. Return to Step 1 with k replaced by k + 1, and iterate 
again. 


By the fourth step of the iteration above, the new path as- 
signment is “isomorphic” to the initial configuration: now 
node 7, is using the path i, Qxin41Px410, and every other 
pivot node 7; is using path 7;.P;0. Thus, as this iteration re- 
peats, the dynamics will ultimately reach node 7; once again 
with the original path assignment. Note that all paths in this 
activation sequence are guaranteed to be available and con- 
sistent, by the definition of F;. To make this activation se- 
quence fair, we must also activate (1) the nodes that are not 
in P; UQ; for any 7 in the dispute ring; and (2) the non-pivot 
nodes in P; for all 2 in the dispute ring. The nodes that are 
not in P; U @; for any 2 have only the path ¢ available, and 
each non-pivot node in P; (for all 2) has only one path to 
the destination available. Therefore, these nodes will never 
change paths, and do not affect the oscillation. Hf 


We emphasize that, for simplicity, we reduced the set of 
filters, F;, to include only the set of paths that are involved 


Node | Ranking 
160 — 1240 
240 > 2350 
350 > 3160 


51240 > 50 


1 
2 
3 
4 43160 > 40 
5 
6 62350 — 60 


(a) Routing system (b) Dispute wheel 


Figure 10: System that (1) has no dispute ring and (2) is not safe. 


Path Assignment 


Act. 1 2 3 4 5 6 
— T1240) 240) G50 (40) 60) (60) 
5 (1240) (240) (350) (40) (51240) (60) 
1 (160) (240) (350) (40) (51240) (60) 
3 (160) (240) (3160) (40) (51240) (60) 
4 (160) (240) (3160) (43160) (51240) (60) 
5 (160) (240) (3160) (43160) (50) (60) 
3 (160) (240) (350) (43160) (50) (60) 
2 (160) (2350) (350) (43160) (50) (60) 
6 (160) (2350) (350) (43160) (5 0) (62350) 
4 (160) (2350) (350) (40) (5 0) (62350) 
2 (160) (240) (350) (40) (50) (62350) 
1 (1240) (240) (350) (40) (50) (62350) 
5 (1240) (240) (350) (40) (51240) (62350) 
6 (1240) (240) (350) (40) (51240) (60) 


Figure 11: Activation sequence for unsafe system from Figure 10. 


in an oscillation. We note that there will typically be more 
permissive sets F; that will also result in oscillation, since 
the dispute ring is present in the underlying set of rankings. 
Our intent is to highlight the most basic case of filtering that 
can cause an oscillation, given the existence of a dispute ring. 

Despite the fact that systems that are safe under filtering 
are guaranteed not to have a dispute ring, testing for a dispute 
ring is not sufficient to guarantee that the routing system is 
safe, as there exist routing systems without dispute rings that 
are unsafe. We give an example below. 


Observation 5 There exist unsafe routing systems that have 
a dispute wheel but do not have a dispute ring. 


Example 7 Consider the routing system described by 
Figure 10(a) and the corresponding dispute wheel in 
Figure 10(b). Suppose that nodes 1, 2, and 3 pre- 
fer two-hop paths over three-hop paths, and the only 
paths available to nodes are those depicted in the figure. 
This system is not safe; for example, suppose Pg = 
(1240, 240, 350, 40, 50,60). The system then oscillates as 
shown in Figure 11. However, the system has no dispute 
ring; in particular, the dispute wheel depicted in Figure 10(b) 
cannot be reduced to a dispute ring. | 


6. Ranking Independence, 
Unrestricted Filtering, and Safety 


In this section, we determine necessary and sufficient con- 
straints on the allowable classes of rankings, such that if each 


AS acts independently in setting its ranking while filtering is 
unrestricted, the protocol is guaranteed to be safe. We use 
the static concepts of dispute rings and dispute wheels to 
simplify checking safety, a dynamic property. As a result, 
we restrict our attention to characterizing whether a routing 
system where rankings are chosen independently by each AS 
can induce either a dispute ring or a dispute wheel. 

A protocol’s configurable parameters implicitly restrict the 
rankings ASes can express. (In BGP, the set of protocol 
parameters is rich enough to allow providers to express es- 
sentially any possible ranking over paths.) We must ensure 
these constraints respect the ability of each AS to set rank- 
ings independently. In Section 6.1, we axiomatically formu- 
late two properties that should be satisfied by any protocol 
that respects ranking independence: permutation invariance 
and scale invariance. The first requires the rankings allowed 
by the protocol to be independent of node labeling; and the 
second requires the allowed rankings to scale gracefully as 
nodes are added to the system. We abstract protocols sat- 
isfying these two conditions through the notion of a local 
verifier; such a verifier takes a single ranking as input, and 
accepts it if that ranking is allowed by the protocol. 

In Section 6.2, we give two examples of such verifiers: 
the shortest hop count verifier (which only accepts rankings 
where shorter paths are preferred to longer paths), and the 
next hop verifier (which only accepts next hop rankings). We 
then determine the class of local verifiers such that, as long 
as each provider independently chooses an acceptable rank- 
ing, the resulting global routing system is guaranteed to be 
safe under filtering.* In Section 6.3, we show that the only 
verifiers that are safe under filtering are nearly equivalent to 
the shortest hop count verifier. 


6.1 Local Verifiers 


In this section, we define a local verifier, which serves as 
an abstraction of the protocol’s constraints on allowed rank- 
ings over routes. We start by defining a (local) verifier, which 
takes as input the ranking of a single AS i, <V and deter- 
mines whether that set of rankings is allowable. 


Definition 17 (Local verifier) Given N nodes, a verifier 
1(~;) takes as input the ranking of a single AS 1 over all 
paths in PN, and returns “accept” if <; is allowed by r, 
and returns “reject” otherwise. If m(<;) = “accept”, we 
will say that <; is m-accepted. If we are given a routing 
system (N,~1,...,~n,Fi,..-,Fn) where each ~; is 1- 
accepted, we will say the routing system is 7-accepted. 


A local verifier applies some set of conditions or tests to 
the rankings; these conditions determine whether it should 
accept or reject the ranking <; for any AS 7. We call such 
verifiers “local” because it takes as input a ranking for a sin- 
gle AS only. 

We now define two natural conditions any verifier that pre- 
serves ranking independence should satisfy. First, the veri- 
fier’s conditions on rankings should provide consistent an- 
swers to different ASes, regardless of the labeling of the 
ASes. That is, for the verifier to preserve ranking indepen- 
dence, each AS should be subject to the same constraints on 
routing policies, and those constraints should not depend on 


3We focus on safety since it is a more practically useful concept than stabil- 
ity. 


the particular assignment of AS numbers to ASes. For exam- 
ple, suppose the routing system consists of three ASes, and 
AS 1 has an accepted ranking where it prefers 1230 over 120, 
and 120 over 10. Then we expect the same ranking should 
be accepted, even if the labels of nodes are permuted. For 
example, suppose we permute the node labels that 1 — 2, 
2 — 3, and 3 — 1. Then node 2 should also have an ac- 
cepted ranking where it prefers 2310 over 230, and 230 over 
20 (since 2310, 230, and 20 are the new paths that result 
after applying the permutation to 1230, 120, and 10, respec- 
tively). If this property were not satisfied, then the verifier’s 
decision to accept or reject a set of rankings would depend 
on the global assignment of AS numbers to nodes, not on 
the characteristics of the individual rankings themselves. We 
call this notion permutation invariance; to define it precisely, 
we must proceed through a sequence of definitions, starting 
with path permutation. 


Definition 18 (Path permutation) Given N nodes, let o be 
a permutation of the nodes 1,...,.N. Then o induces a path 
permutation on any path P = i1112...im j from ‘to J, yield- 
ing a new path o(P) = a(i)o(i1)o(t2)...o(im)o(j) from 
a(t) to a(j). We always define o(0) = 0. 


Definition 19 (Ranking permutation) Given N nodes, let 
o be a permutation of the nodes 1,...,N. Then o induces 
a ranking permutation on a ranking <; for node 1 over the 
paths in PN, yielding a new ranking o(~<;) over the paths 
in Pro: as follows: If P,, Py € PN, and P, ~; Po, then 
o(P,)o(*;)o(P2) (where o(P;) is the path permutation of 
path P; under oc). 


Note that a permutation does not modify the routing sys- 
tem any substantive way, except to relabel the nodes, and to 
relabel the paths and rankings and in a way that is consistent 
with the relabeling of nodes. 


Definition 20 (Permutation invariance) A verifier 7 is per- 
mutation invariant if, given N and a ranking <; for an AS 
. . N . re at . 

i over all paths in P;*, the relation <; is m-accepted if 
and only if o(*;) is m-accepted, for any permutation o of 
1 


pees 


Second, a verifier should specify conditions for acceptance 
or rejection of rankings that “scale” appropriately with the 
number of nodes in the system; we call this property scale 
invariance. Suppose, for example, that a verifier accepts a 
ranking <; over P)’, when N nodes are in the system. Now 
suppose that we add nodes to the system, so the total num- 
ber of nodes is N > N. As additional nodes are added to 
the system, additional paths become available as well, and 
each node 7 must specify its rankings over the larger set 


PN. Informally, scale invariance of the verifier requires that 
i should be able to “extend” the ranking <,; to an accepted 
ranking over P’, without having to modify its existing rank- 
ing over P}; otherwise, the properties of allowed rankings 
would depend on the number of nodes in the global system. 
To formalize this concept, we first define a subranking. 


Definition 21 (Subranking) Given N nodes, let <; be a 
ranking for AS i over all paths in P. Given N > N, let 


10 


=; be a ranking for AS i over all paths in PN. Note that 
PN c PN. We say that <; is asubranking of <; if P, <; P2 
implies P,%;P», for all P,, Pz € pe. 


We now define scale invariance. 


Definition 22 (Scale invariance) A verifier 7 is scale invari- 
ant if the following condition holds: given any m-accepted 


ranking <; for AS i over PN, and given any N > N, there 


exists at least one n-accepted ranking ~; over PN that has 
~<; as a subranking. 


Permutation invariance guarantees that relabeling nodes 
does not affect allowed rankings; scale invariance ensures 
that even as the set of nodes in the network increases, the 
rankings over previously existing paths should remain valid. 
Verifiers that satisfy both permutation invariance and scale 
invariance correspond to protocols that ensure ranking inde- 
pendence; we call such verifiers local verifiers. 


Definition 23 (Local verifier) A verifier is a local verifier if 
it is both permutation invariant and scale invariant. 


We want to find protocols that are guaranteed to be safe 
under filtering. Given that we use a local verifier as an ab- 
straction of the constraints placed by a protocol on rankings, 
we would thus like to characterize local verifiers that can 
ensure safety under filtering of the entire routing system (a 
global property). For this reason, we extend the definition of 
“safety under filtering” to cover local verifiers. 


Definition 24 Let 7 be a local verifier. We say that 7 is safe 
under filtering if all -accepted routing systems are safe un- 
der filtering. 


6.2 Examples of Local Verifiers 


We now present two straightforward examples of local ver- 
ifiers: the shortest hop count verifier, which is guaranteed to 
be safe, but is not expressive; and the next hop verifier, which 
is expressive, but not safe. 


Example 8 Our first example is the shortest hop count rank- 
ing verifier, denoted °°. Given the number of nodes N, the 
verifier 7°”° accepts a ranking <; for node i if and only if 
the relation <; strictly prefers shorter paths (in terms of hop 
count) over longer ones. Formally, it accepts ~;, if, for any 
two paths P;, Pie PN such that length(P;) < length(P;), 
Py 4 PB. (Ties may be broken arbitrarily.) 

It is not hard to verify that 7°" is a local verifier. To check 
permutation invariance, note that if <; is allowed for node 
i, then of course for any permutation oc, the ranking o(~ ;) 
will also be allowed for node o(2), as o(~;) will also pre- 
fer shorter paths to longer paths. Scale invariance is natu- 
ral: given any shortest hop count ranking <; over PY, and 
given N > N, there obviously exists at least one shortest 


hop count ranking over P/V that has <; as a subranking. 
Thus 7*”¢ is scale invariant as well. However, other than 
tie breaking, 7°”° does not allow very much freedom to the 
providers in specifying routing policies. a 


n°" forces all providers to use shortest AS path length, 
effectively precluding each AS from having any policy ex- 
pressiveness in choosing rankings. A more flexible set of 
rankings is allowed by the next hop ranking verifier of the 
next example. 


Example 9 The next hop ranking verifier, denoted 1"”, ac- 
cepts a ranking <; for node z if and only if <, satisfies Equa- 
tion (1) in Section 4.1; that is, if <; is a next hop ranking. 

It is easy to see that 7”” is permutation invariant: if <; 
is a next hop ranking for node i, then clearly o(~;) is a 
next hop ranking for node o(2). Furthermore, note that any 
next hop ranking <, is determined entirely by the rankings 
of node 2 over each possible next hop, together with tiebreak- 
ing choices among routes with the same next hop. Thus, for 


N > N, ~; can be extended to a next hop ranking over pe Z 
by extending node 2’s rankings over each possible next hop, 
and determining tiebreaking rules for any routes with next 


hop N + 1,...,.N. We conclude that 7”” is scale invariant 
as well, and thus it is a local verifier. 

The next hop verifier 7” grants providers greater flexi- 
bility in choosing their routing policies than under the short- 
est hop count verifier 7°”°. However, consider the conse- 
quences of using the local verifier 7””. In this case, each AS 
a will choose a next hop ranking < ;, without any global con- 
straints placed on the composite vector of next hop rankings 
(<1,..., <a) chosen by the ASes. We have shown earlier in 
Section 4.1 that there exist configurations of next hop rank- 
ings that may not be stable or safe under filtering; thus, the 
local verifier ”” can lead to globally undesirable behavior. 

a 


Next, we use dispute rings and dispute wheels to charac- 
terize the class of local verifiers that are safe under filtering. 
We will prove that this class is closely related to the shortest 
hop count verifier 7°". 


6.3 Impossibility Results 


We prove two main results in this section. Informally, the 
first result can be stated as follows: suppose we are given a 
local verifier and an accepted ranking such that some n hop 
path is less preferred (i.e., ranked lower) than another path 
of length at least n + 2 hops. (Note that this is a reversal 
of shortest hop count rankings.) Then, we can construct an 
accepted routing system with a dispute ring; i.e., one that is 
unsafe under filtering. The second result states that if some 
n hop path is less preferred than another path of length at 
least n + 1 hops, then there exists a routing system with a 
dispute wheel (though not necessarily a dispute ring). Note 
that this result is weaker than our first result, since a dispute 
wheel does not necessarily imply that the system is unsafe 
under filtering. 

We interpret these results as follows: if we are searching 
for local verifiers that are safe under filtering, we are very 
nearly restricted to considering only the shortest hop count 
verifier, since all paths of n hops must be more preferred than 
paths of at least n+-2 hops to guarantee safety under filtering; 
and all paths of n hops must be more preferred than paths of 
at least n + 1 hops to prevent dispute wheels. 

Our first lemma, which is crucial to proving both of our 
results, uses permutation invariance to construct a dispute 
wheel from a single node’s rankings. We use a permuta- 
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Pro = o*(P,)~ @ kH= o* (i) 


Figure 12: Dispute wheel construction for Lemma 1. 


tion to “replicate” pieces of the dispute wheel until the entire 
wheel is completed. 

To state the lemma, we will require the definition of pe- 
riod of a node with respect to a permutation, as well as the 
period of a permutation. Given a permutation o on the nodes 
1,...,.N, let o* denote the permutation that results when o 
is applied k times; e.g., 7(j) = o(o(j)), where 0° is de- 
fined to be o. 


Definition 25 (Period) Given a permutation o on the nodes 
1,...,.N, we define the period of i under o as period (7) = 
min{k >1:o0*(i) =i%}. 

Thus, the period of 1 is the minimum number of applica- 
tions of o required to return to 1. 


Definition 26 (Permutation period) Given a permutation 
a on the nodes 1,..., N, we define the period of the permu- 
tation o as period(a) = min{k > 1: o*(i) = i for all i}. 

Thus, period(c) is the minimum number of applications 
of o required to recover the original node labeling, and can 
be computed as the least common multiple of period ;(c), for 
L<i<N. 


The following result establishes the conditions under 
which we can apply a permutation to a 7-accepted ranking to 
obtain a dispute wheel. We will use this lemma as a building 
block for both of the theorems in this section. 


Lemma 1 Let 7 be a local verifier. Suppose there exists a 
node i with a ranking <; over ae two paths R;, P; © Pe, 
and a permutation o on 1,..., N such that: 

I, <; is w-accepted; 

2. Ry >; PB; 

3. period,;(7) = period(o); and 

4. There exists a path Q; from i to o(i) such that: 


R; = iQio(i)o(P,)0. (2) 
Then there exists a t-accepted routing system for which there 
exists a dispute wheel. 

This dispute wheel is defined by pivot nodes 14,... 
and paths P,,...,Pm and Qj,... 


» lms 
;Qm, Where m = 


period(c), and where fork = 1,...,m, we have i, = 
aU) Pe =o (Pande Oe =a" (0,) 


Proof of Lemma. Refer to Figure 12. The key idea of the 
proof is that, since period;(7) = period(c), we can repeat- 
edly apply o to the paths Qi and P; and apply permutation 
invariance to construct a 7-accepted routing system with a 
dispute wheel. 

Let m = period(c). Define the sequence ij, i2,...,% 
by i, = o*-1(i) fork = 1,...,m. Since period(c) 
period,(o), the nodes i1,...,%m are all distinct. For & 
1,...,m, define <;, = o*—1(;); since the nodes 71,...,im 
are all distinct, this assignment of rankings to nodes is well 
defined (i.e., no node is assigned two different rankings). By 
permutation invariance, since < ; is 7-accepted, we conclude 
~<j;,, 18 7-accepted for all k. For all other nodes 7, choose any 
m-accepted ranking <;. Let F; = PS for all nodes 7. 

This permutation defines a z-accepted routing system 
(N, ~1,..-,<n,Fi,...,Fn). We now construct a dis- 
pute wheel for this system. Define Q, = o*-1(Q;), and 
P, = of !(P,), for k = 1,...,m. We claim that these 
definitions yield a dispute wheel. 

Since F; = ed for all 7, all paths are feasible. Next, since 
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Q; is a path from 71 = i to ig = o (2), we conclude that Q, is 
a path from 7, to 244, for all k (where we define i,,41 = 74). 
We now observe that: 


a" (Ri) = oi) a8“! (Qi)o* ()o* (P,)0 
= 1nQrinqi1Pp+10. 


Finally, since <;,= ok-1(2,;) and R; >; P., we have 
o*-1(R;) >i, o*1(P;). Using the preceding deriva- 
tion and the fact that P, = o*—1(P;), we conclude that 
tprQrin+i1Pp410 aan ipPx0, as required. 

Thus, we have established that 71,...,%m, together with 
Q1,---,;Qm and P;,..., Pm, constitute a dispute wheel. Hf 


The preceding lemma reduces the search for a dispute 
wheel to a search for a permutation and a 7-accepted ranking 
with the stated properties. Observe from (2) that the permu- 
tation o maps the path P; into the “tail” of the path R;; in 
applying Lemma 1, we will construct a partial permutation 
by mapping a path P; into the “tail” of R; as in (2), and 
then we will complete the permutation by adding nodes to 
the system if necessary so that period ;(7) = period(a). We 
use this approach to prove two theorems; the first states that 
if a local verifier accepts at least one ranking that prefers an 
n hop path less than a path of at least n + 2 hops, then the 
verifier is not safe under filtering. 


Theorem 1 Let x be a local verifier. Suppose there exists a 
node i with 7-accepted ranking <;, and two paths R;, Pie 
PN such that length(R;) > length(P;) + 1 and R; >; P;. 
Then 7 is not safe under filtering. 


Proof. The proof relies on Lemma | to build a dispute 
wheel. First, using scale invariance of the local verifier, 
we show that the stated conditions of the theorem ensure 
that there exist two paths R/, P! such that: length(R/) > 


length(P/) + 1; Rj is more preferred than P! for some 7- 
accepted ranking; and R/ and P have no nodes in common, 
other than 2 and 0. Lemma 2 then completes the proof of 
the theorem through two steps: first, once we have found the 
paths Ri and P!, we use them to build a permutation o such 
that the conditions of Lemma 1 are satisfied; and second, we 
show that the dispute wheel given by Lemma | is in fact a 
dispute ring, by checking that no nodes are repeated around 
the wheel. 4 

We first construct the paths R/ and P! as described in the 
previous paragraph. Let 7, <;, R;, and P; be given as in the 
theorem. Let & = length(P;); ie., P; = iujug...ue_10. 
We add ¢ new nodes to the routing system, and label them 
U1,.-., Ue; let N’ = N + &. By scale invariance, there exists 
a m-accepted ranking < " on the set of paths PX " with <; as 


a subranking. For such a ranking <~ ‘ we have R; = "Pi 

But now consider the path T; = 7v;...v¢0; note that 
length(T;) = €+ 1. Since R; ou P,, either T; = P, 
or R; a T;. In the former case, let Ri = T;, Pi = Pp; 


and in the latter case, let Ri = R;, and Pp! = T;. Then 
length(R,) > length(P/) +1, Ri +’ Pl, and Ri and P! 
have no nodes in common other than 7 and 0. 

The following lemma uses Lemma | to construct a dispute 
wheel. 


Lemma 2 Let 7 be a local verifier. Suppose there exists a 
. . . ; N 
node 1 with m-accepted ranking <; over P;*, and two paths 


R;, PB; € px such that: 
I. length(R;) > length(P;) + 1; 
2. Ri >; Pj; and 


3. R; and PB; have no nodes in common other than 1 and 


0. 


Then there exists a w-accepted routing system for which there 
exists a dispute ring. 


Proof of Lemma. The proof of this lemma proceeds by 
using scale invariance: we add enough new nodes to the sys- 
tem to allow us to build a permutation such that the condi- 
tions of Lemma | are satisfied. The key insight is that we 
initially construct the permutation o by mapping the path 
P, into the “tail” of the path R;. We then add enough 
nodes so that when we complete the definition of 7, we have 
period,(a) = period(c). 

Let length(P;) = n, and let h = length(R;) — n; note 
that, by Condition | in the statement of the lemma, we know 
h > 1. Define 7; = 7. We label the nodes so that P, = 
1412 ...%,0, and R; = 1121 %2...%p_—11112... 4,0. We want 
to define a permutation o that will map the path 71 ...7,,0 
to the tail of R;, i.e., to the path ay wk in0. However, this 
does not completely define a permutation, so we must add 
additional nodes to ensure that period ;(a7) = period(c). 

We add 2(h—1)+n additional nodes to the system, labeled 
&1,...,@,-1, and t},...,i,,24,...,2),_,. By scale invari- 
ance, we know there exists at least one 7-accepted ranking 
<; over all paths using this larger set of nodes, such that =; 


& 
| 

BR ue 
Q 

BS 


Figure 13: Dispute ring construction for Lemma 2. 


has <; as a subranking. In particular, since R; >; PB, we 
have R,;>+;P;. We now define a permutation o according to 
the following maps: 


ik > th 2 th, > ig, tea 
Lk 7 kp OL, ap, k=1,...,h—-1. 

That is, o(¢,) = tes (iz) = ij, etc. For all nodes 7 not 
listed, we define o(j7) = j. Note that the period of o is 
period(c) = 3, and of course period (7) = period,, (7) = 
3 = period(o). Finally, note that by definition of 7, we have 
R; = iQ;a(i)o(P;)0, where Q; = 124 sake Lp—111- 

Thus, the conditions of Lemma 1 have been satisfied 
by the ranking ,, the paths R; and P;, and the permu- 
tation 7; so we know there exists a z-accepted routing 
system for which there exists a dispute wheel. To com- 
plete the proof, we need only check that the dispute 
wheel is a dispute ring. Note that the wheel has three 
pivot nodes. Furthermore, to check that no nodes are 
repeated around the wheel, we simply enumerate the 
elements of our dispute wheel: Q; = 71%)...%m-—1113 
0(Q:i) = t181-..8m-1t; 07(Qi) = tah... ty_iih 5 
P, = 41... in 0; o(P;) = 41 ...4,0; and o?(P;) = 7, ...27,0. 
It is straightforward to check that these paths constitute 
a dispute ring: in Figure 13, note that the dispute wheel 
constructed from these paths has no repeated nodes. a 


Lemma 2 completes the proof of the theorem: we have 
shown that if some z-accepted ranking exists satisfying 
the conditions of the theorem, then using only permutation 
invariance and scale invariance we can build a z-accepted 
routing system with a dispute ring. This routing system is 
then unsafe under filtering, by Proposition 2. 


The preceding theorem suggests that local verifiers that are 
safe under filtering are very closely related to the shortest 
hop count verifier, since no rankings can be accepted where 
n hop paths are less preferred than n + k hop paths, for k > 
2. The next theorem draws this relationship even closer, by 
proving that there exists a dispute wheel if a local verifier 
accepts any ranking where an n hop path is less preferred 
than an n + 1 hop path. 
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Theorem 2 Let 7 be a local verifier. Suppose there exists a 
node i with t-accepted ranking <;, and two paths R;, Py € 


PN such that length(R;) = length(P;) + land R; >; P;. 
Then there exists a m-accepted routing system with a dispute 
wheel. 


Proof. As in the proof of Lemma 2, our basic approach is 


to map the path P; into the “tail” of the path R;. This par- 
tially defines a permutation o. Using a graphical approach, 
we show how to add nodes to the system and complete the 
permutation o so that period;(c) = period(c). We then ap- 
ply Lemma | to conclude there exists a 7-accepted routing 
system with a dispute wheel. 

To begin, write Ry; = 771...%,0, and P; = tv, ...U,_10. 
We will partially define a permutation o, and then add 
nodes and “complete” the permutation so that o satisfies 
the conditions of Lemma 1. For all nodes 7 ¢ R;UP;,, 
we define o(j) = j. Let V = RiUP \ {0} = 
{i,i1,...,%n,U1,---,;Un-1}3 ie. V is the set of the nonzero 
nodes in R;\J P;. We define a directed graph on the ver- 
tex set V, by defining the set of arcs A as follows: A = 
{(2, 71) } Ut(or, tegi) 1 & = 1,...,n—1}. Define the graph 
G = (V, A). 

We can immediately make the following observations 
about G: (1) each node in V has either exactly one outgo- 
ing link and no incoming links; or exactly one incoming link 
and no outgoing links; or exactly one incoming link and ex- 
actly one outgoing link; and (2) from the definition of A, 
node 7 has exactly one outgoing link and no incoming links. 
We interpret the graph G as a partial representation of the 
permutation o, by defining o(7) = kif (j,k) € A. 

Of course, this only partially defines o, and we now con- 
sider how we should complete the definition of o. Let 
T,,...Zm be the disjoint connected components of G; we 
write T;, = (V;, Ax). By the definition of “connected com- 
ponent”, we know VN Vg, = Ap MN Ay =O fork 4 k’. We 
assume without loss of generality that 7 € V1. 

Our approach is to first define o for all the nodes in each 
connected component T;, for k = 2,...,m. From the 
observations above, we can enumerate the nodes in Vx as 
Vi = {u1, u2,..., ue}, such that each wu, has a link to u,41, 
forr = 1,...,@— 1; and either uz has no outgoing links (in 
which case T;, is just a “segment’) or ug has a link to uw; (in 
which case T;, is a “cycle”). We define o(u,-) = U,41, where 
we interpret we+1 aS ui. Thus, in a segment or cycle, each 
node is mapped to its successor; in addition, in a segment, 
the last node is mapped to the first node. This defines the 
permutation o for all nodes, except those in V;. 

To complete the proof, we will add enough nodes and ex- 
tend the definition of o so that period;(o) = period(o); 
we can then apply Lemma 1. Note that for all nodes 7 € 
V2 U---U Vin, we can compute period ;(c) based on the 
preceding definition. Let Kk be the least common multiple 
of period; (a), over all 7 € Vo U---U Vin. We then add 
nodes to the system, and in particular to the set V;, until 
|Vi| (.e., the number of nodes in V;) is a multiple of K. 
Let the nodes added be z1,...,2;; these nodes will eventu- 
ally become the pivots of the dispute wheel. We know that 


A; must be of the form {(i,71), (i1,u1),..-, (ue—1, ue)} 
for some nodes u1,...,ue € V. We define o as follows: 
a(t) = %13 o(41) = un; o(uy) = Urq, forr =1,...,0—1; 


o(ue) = 213 O(Zr) = 2r41, for 1 < r < s —1; and 
a(zs) = t. Thus, it is as if we added the nodes z1,..., 2s, 
and turned the segment TJ into a cycle. Since the length of 
this cycle is a multiple of K, it is clear that period(c) is a 
multiple of kK, and period, (a) = period(c). 

By scale invariance, even though we have added nodes 
to the system, we can extend <; to a 7-accepted ranking 
over the resulting larger set of paths, while maintaining 


the preference of R,; over P, for node 2. Furthermore, 
recalling our initial definition of the arc set A, it is clear 
that we have R; = ti, ...i,0 = io(t)o(v1)...0(Un_-1)0 = 
io(i)o(P;)0. Thus, we can apply Lemma 1, with QO; = 0, 
to conclude there exists a 7-accepted routing system with a 
dispute wheel. | 


The preceding results should not be interpreted as suggest- 
ing that we cannot find a routing system that is safe under 
filtering, where nodes prefer n + & hop paths over n hop 
paths. Indeed, as we know from Example 6, there exist rout- 
ing systems where nodes prefer 3 hop paths over 1 hop paths, 
and yet the system is safe under filtering. However, checking 
whether such systems are safe under filtering requires global 
verification; the theorems we have presented suggest safety 
under filtering cannot be guaranteed through local verifica- 
tion alone, if some nodes are allowed to prefer n + k hop 
paths over n hop paths. 

Furthermore, the preceding two results highlight the im- 
portance of dispute rings in our discussion. Theorem | gives 
the strong result that a verifier that allows some n + & hop 
path to be more preferred than an n hop path cannot guar- 
antee safety under filtering, if k > 2. However, Theorem 2 
only guarantees existence of a dispute wheel if a verifier that 
allows some n + 1 hop path to be more preferred than an n 
hop path; and we cannot draw conclusions regarding the sta- 
bility or safety of our system on the basis of a dispute wheel, 
again as pointed out by Example 6. 


7. Conclusion 


This paper has explored the fundamental tradeoff between 
the expressiveness of rankings and routing safety, presum- 
ing that each AS: (1) specifies its rankings independently of 
other ASes and (2) retains complete freedom over filtering. 
We characterize the interactions between filtering and rank- 
ings and present the first systematic study of how filtering 
can introduce instability into a routing system. We show that, 
with ranking independence and unrestricted filtering, guar- 
anteeing the safety of the routing system essentially requires 
each AS to rank routes based on AS path length. 

This paper makes three main contributions. First, we show 
that next-hop rankings are not safe; we also observe that al- 
though rankings based on a globally consistent weighting of 
paths are safe under filtering, even minor generalizations of 
the weighting function compromise safety. Second, we de- 
fine a dispute ring and show that any routing system that has 
a dispute ring is not safe under filtering. Third, we show 
that under ranking independence and unrestricted filtering, 
the set of allowable rankings that guarantee safety is effec- 
tively ranking based on (weighted) shortest paths. 

In light of the results we present, a natural question to ask 
is whether they are positive or negative. In one sense, our 
results are grim, because they suggest that if BGP remains 
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in its current form and each AS establishes filters arbitrar- 
ily and specifies rankings autonomously, then the routing 
system will generally be unsafe unless each AS constrains 
its rankings over available paths to those that are consistent 
with shortest hop count (or, alternatively, preferences that are 
based on consistent edge weights). 

On the other hand, our results are positive, because they 
suggest a clear direction forward: BGP must be modified if 
ASes are to filter without restriction and retain ranking in- 
dependence, without compromising routing safety. Our re- 
sults in Section 4.2, which show that routing using prefer- 
ences derived from edge weights is guaranteed to be stable, 
suggest one possibility for modification. Suppose each AS 
ranks paths based on the sum of edge weights to the desti- 
nation and adjusts weights on its incident outgoing edges to 
neighboring ASes. Rankings would then be derived from the 
total path cost, but an AS might still retain enough flexibil- 
ity to control the next-hop AS en route to the destination. 
Such an approach could ensure that the protocol is safe on 
short timescales, while allowing “policy disputes” to occur 
on longer timescales, out-of-band from the routing protocol. 
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